I have a PIX 515E with a privately numbered inside interface and a publicly numbered outside interface. I am doing a combination of static NAT for inbound connections for different services and PAT for outbound connections for internal hosts. The problem I have is that when I ping the public address of one of the static translations, the PING fails. When I ping to a host numbered within the same external subnet as the public address of one of the static translations the ping works fine. I believe this behavior is caused by the fact that the PIX by default will not allow traffic entering on an interface to then be turned around and sent right back out the same interface or "hairpinned" as they say. So since this the traffic would be flowing from inside interface to outside inside interface and then back to inside interface, the packets are dropped and the ping fails. Pinging to other hosts in the same subnet as the outside interface works because the traffic flow is inside---->outside then outside----->inside. I believe there is a way to get this to work by using the "same-security-traffic permit intra-interface" command on code version 7.2(1) and up, but I would like to confirm if this is indeed what?s happening. Any help would be appreciated.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...